Vulnerability & Exploit Database

Back to search

MS11-050 IE mshtml!CObjectElement Use After Free

This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs when an invalid <object> tag exists and other elements overlap/cover where the object tag should be when rendered (due to their styles/positioning). The mshtml!CObjectElement is then freed from memory because it is invalid. However, the mshtml!CDisplay object for the page continues to keep a reference to the freed <object> and attempts to call a function on it, leading to the use-after-free. Please note that for IE 8 targets, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention).

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • d0c_s4vage
  • sinn3r <sinn3r [at]>
  • bannedit <bannedit [at]>



  • Automatic
  • Internet Explorer 7 on XP SP3
  • Internet Explorer 7 on Windows Vista
  • Internet Explorer 8 on XP SP3
  • Internet Explorer 8 on Windows 7
  • Debug Target (Crash)


  • windows



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ms11_050_mshtml_cobjectelement msf exploit(ms11_050_mshtml_cobjectelement) > show targets ...targets... msf exploit(ms11_050_mshtml_cobjectelement) > set TARGET <target-id> msf exploit(ms11_050_mshtml_cobjectelement) > show options and set options... msf exploit(ms11_050_mshtml_cobjectelement) > exploit

Related Vulnerabilities